PP3 Analysis Flashcards
1
Q
Four types of Business Impact Analysis (BIA)
A
- An initial BIA.
- A product and service BIA.
- A process BIA.
- An activity BIA.
2
Q
Business continuity requirements can be defined as
A
the time frames, resources, and capabilities necessary to continue to deliver the prioritised products, services, processes, and activities following a disruption.
3
Q
Initial BiA:
A
Provides high-level analysis that can be used
to develop a framework for the more detailed BIAs. It
can also be used to clarify the scope of the BC programme (typically only required first time organization conducts a BIA).
4
Q
Product and Service BIA
A
Identify & prioritise products & services & determine
organization’s BC requirements at a strategic level.
5
Q
Process BIA:
A
Determine process or processes required
for delivery of organization’s prioritised products and services.
6
Q
Activity BIA:
A
Identify & prioritise activities that deliver most urgent products & services, & to determine resources
required for continuity of these activities.
7
Q
Products and services are defined as
A
“beneficial outcomes provided by an organization to its customers, recipients and interested parties.” (Source: ISO 22301:2012)
8
Q
A process is described as
A
“a set of interrelated or interacting activities which transforms inputs to outputs.” (Source: ISO 22301:2012) Process may be divided into a number of activities.
9
Q
An activity is defined as
A
One or more tasks undertaken by, or for an organization, that produces or supports the delivery of one or more products and services.
10
Q
MTPD
A
Maximum tolerable period of disruption
11
Q
MAO
A
Maximum acceptable outage
12
Q
RTO
A
Recovery time objectives
13
Q
Terms ‘maximum tolerable period of disruption’ or ‘maximum acceptable outage’ are used to describe
A
“the time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become
unacceptable.” (Source: ISO 22301:2012)
14
Q
The ‘recovery time objective’ is defined as
A
“the period of time following an incident within which a product or service must be resumed, or activity must be resumed, or resources must be recovered.” (Source: ISO 22301:2012)
15
Q
Prioritised activities is defined as
A
“activities to which priority must be given following an
incident in order to mitigate impacts.” (Source ISO 22301:2012)
16
Q
The BIA process can be summarised as follows:
A
- Prioritise the organization’s products & services
by determining the MTPD for each. - Prioritise the process or processes required to deliver the organization’s most urgent products and services,
including identification of the activities that make up
those processes, if required. - Prioritise the activities that deliver the most urgent products and services, determine resources required for
continuity of these activities following an incident, as
well as their interdependencies. - Perform final analysis or consolidation of analyses which should lead to determination of BC
requirements. - Seek top management approval of BIA results.
17
Q
When conducting a BIA, the following points should be
considered:
A
- Scope of BC programme can be clarified, or may need to be modified following the initial BIA findings.
- Determining impacts over time should demonstrate to top management how quickly the organization needs to respond to a disruption.
- consistent approach to performing BIA should be used throughout the organization.
- Scope of BC programme can be clarified, or may need to be modified following the initial BIA findings.
- Determining impacts over time should demonstrate to top management how quickly the organization needs to respond to a disruption.
- Consistent approach to performing the BIA should be used throughout the organization.
18
Q
Methods & techniques used to collect the BIA information include:
A
- Workshops.
- Questionnaires.
- Interviews.
19
Q
Examples of documents to review as part of the BIA include:
A
- Existing BIA information, where relevant.
- The organization’s strategic plan.
- Annual reports.
- Departmental or business unit plans.
- Legal or regulatory requirements.
- Service level agreements.
- Risk assessments or risk registers.
20
Q
Main factors that should be considered when estimating MTPD of a disruption to product or service delivery are:
A
- Damage to financial value or viability (short or long-term).
- Damage to reputation or interested party confidence.
- Breach of legal or regulatory obligations.
- Failure to meet the strategic objectives of the organization
21
Q
Examples of impacts over time are as follows:
A
- Breaches of legal or regulatory requirements, for example, fines and reputational damage
- Financial impacts
- Environmental damage
- Delays to major projects or a new product launch, for example, delay to a development project and loss of expected revenue.
- Opportunities for competitors
- Health implications from a service failure, resulting in bad publicity & financial penalties.
22
Q
Minimum business continuity objective (MBCO).
A
MBCO is the minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during a disruption.”(Source: ISO 22301:2012)
23
Q
The process for developing an initial BIA should include:
A
- Deciding terms of reference and draft scope of
initial BIA. - Identifying products and services which can be grouped to simplify information collection and
analysis. - Agreeing impacts to be considered, for
example, financial and reputational. - Agreeing and documenting impacts over time
relating to delivery failure of products and services. - Estimating MTPD for each product and
service. - Identifying processes that deliver products or services. This should consider organization-wide and
departmental processes. - Identifying owners for each process, for example, subject matter experts to provide information
about the processes. - Identifying how and when a disruption to the
process could result in damage to the delivery
of products and services. - Presenting the findings to top management
for review and approval.
24
Q
Initial BIA should consider specific impacts, including:
A
- Backlogs and capacity issues.
- Duration or lead time of the process.
- Any non-standard or unique activities which are difficult to recover and could unexpectedly affect the continuity of the process.
25
Outcomes of an initial BIA are:
1. A list of the of the organization’s products and services (grouped together where appropriate).
2. Impacts over time relating to the delivery failure of products and services.
3. Estimated MTPDs for products and services.
4. List of processes and owners that contribute to the delivery of products and services.
5. Breakdown of internal and external activity dependencies.
6. A list of products, services, processes, and activities that have been excluded, along with the justification for the exclusion.
26
Examples of significant organizational
| changes:
1. Introduction of a new product or service.
2. Retirement of an existing product or service.
3. Relocation or a change in the geographical positioning of the business.
4. Significant change in business operations, structure, or personnel levels.
5. A significant new supplier or outsourcing contract
27
The product and service BIA process should
| include:
1. Reassessing scope of BC programme. This includes reviewing any exclusions and considering inclusion of new products or services.
2. Collecting the information necessary to perform
product and service BIA.
3. Understanding potential impact of significant
developments within organization or the operating
environment.
4. Assigning products and services to groups
for analysis purposes.
5. Reviewing impacts as well as the criteria to
determine the MBCO
6. Documenting impacts of a product or service
group delivery failure.
7. Estimating MTPD for each product or service group
8. Obtaining top management signoff of product
and service BIA results.
9. Proceeding to the process BIA.
28
Outcomes of a product and service BIA are:
1. Clarification or modification of the scope of the BC
programme.
2. A list of the organization’s prioritised products and services.
3. Evaluation of impacts over time
29
Process BIA should include the following steps:
1. Determine scope of process BIA
2. Identify process owners
3. Identify dependencies for processes that deliver
prioritised products and services
4. Identify suitable personnel, for example, subject
matter experts, to provide process-level information.
5. Collect information necessary to perform process BIA
6. Identify how disruption to process could result
in disruption to delivery of products and services
7. Define timeframe within which disruption to each
process would become unacceptable and cause
failure to deliver products and services.
8. Define any impacts not considered by top
management, such as backlogs and capacity issues.
9. Consider duration or lead time of the process.
10. Obtain confirmation from process owner
concerning accuracy of information in process BIA.
11. Obtain support from top management for
conclusions of process BIA.
12. Publish results of process BIA
30
Outcomes of the process BIA are
1. List of processes that contribute to delivery of
organization’s prioritised products and services within the scope of BC programme.
2. Identification of interdependencies of processes.
3. The MTPD, RTO, and RPO where appropriate for each process.
4. Identification of any processes that have been outsourced by the organization and therefore present an increased risk. Service level agreements and more frequent reviews should be considered for these processes.
31
Following information should be collected during the activity BIA
1. Processes that the activity supports (where appropriate).
2. Operational methods for the activity.
3. Duration or lead time of the activity.
4. Fluctuations in demand or peak operating times.
5. Factors not already discovered that may affect determination of BC requirements, for example, backlogs, or legal and regulatory requirements of this activity.
32
Detailed information regarding the resources required to continue activities fall into the following categories:
1. People.
2. Information and data.
3. Buildings, work environment and associated utilities.
4. Facilities, equipment, and consumables.
5. ICT systems.
6. Transportation.
7. Finance.
8. Partners and suppliers” (Source: ISO 22301:2012)
33
The activity BIA process should involve the
| following:
1. Identify and prioritise activities which contribute to the
process or processes that deliver prioritised products
and services.
2. Collect information necessary to perform activity BIA, including: • An understanding of activity details and interdependency information. • An understanding of activity specific RTOs. • A breakdown of the resources required to maintain activities at an agreed level and within MTPD and RTO.
3. Consider any additional activities that may be created
during a disruption, including need to clear backlogs.
4. Obtain approval by the activity owner to confirm accuracy of information.
5. Obtain support of top management for conclusions
34
Outcomes of an activity BIA are:
1. List of activities that contribute towards processes needed to deliver products and services.
2. MTPD and RTO and justification for each activity, which should determine time frame of solutions for each
activity.
3. Breakdown of activity dependencies, both internal and
external
4. An understanding of resources required to provide agreed service levels.
5. RPO for data and hard copy records.
6. Documentation of internal and external interdependencies for prioritised activities.
35
A risk is defined as
An effect of uncertainty on objectives (Source:
| ISO Guide 73).
36
A threat is defined as
A potential cause of an unwanted incident, which can result in harm to individuals, a system
or an organization (Source: ISO 22300:2012).
37
A risk assessment is defined as
An overall process of risk identification, risk analysis and risk evaluation.” (Source: ISO Guide 73)
38
Key steps when undertaking a risk and threat assessment as part of the BC programme are as follows:
1. List known and anticipated internal and
external threats.
2. Estimate impact of each threat on organization.
3. Determine probability of disruption for each threat.
4. Calculate a risk score of each threat by combining the
scores for impact and probability
5. Prioritise threats based on risk score for prioritised
activities.
6. Identify unacceptable areas of risk, which may
include single points of failure.
7. Share outcomes with relevant interested
parties.
8. Use information resulting from risk and
threat assessment to identify options for mitigation
measures in the Design stage of BC management lifecycle.
39
Organizations may find following sources provide
| useful information to carry out a risk assessment:
1. Risks and threats identified during the BIA process.
2. Risks and threats identified during previous exercises.
3. Previous incidents experienced by organization, and
captured in risk register or other incident reports.
4. Previous incidents recorded within industry sector or
geographical location.
5. Information or reports relating to threats and past
disruptions.
6. Horizon scanning activities.
7. Publicly available records about known local hazards
40
Outcomes from risk and threat assessment as part
| of the business continuity programme are:
1. An awareness of range of potential threats that could
disrupt the organization’s activities.
2. A prioritised list of threats based on the risk of disruption to organization’s activities.
3. Identification of any unacceptable risks and single points of failure.
4. Identification of potential options for measures to reduce frequency or scale of impact of the prioritised threats.
41
Final analysis should “…challenge and check the
| information to ensure that it is:
1. Correct, accurate and reliable.
2. Credible, believable, and reasonable.
3. Consistent, clear, and repeatable.
4. Current, up-to-date, and available in a timely manner.
5. Complete and comprehensive.” (Source: ISO/TS 22317:2015)
42
Final analysis and consolidation activity should result in
| the following:
1. Confirmation of impacts over time.
2. Review and confirmation of resource dependencies and requirements.
3. Consolidation of resource requirements, for example, across processes, organizational structures, or locations.
4. Review and confirmation of the interdependencies of processes and activities, and their relation to the delivery of products and services…”. (Source: ISO/TS 22317:2015)
